Review of The Design and Implementation of the FreeBSD Operating System Posted

Amazon.com just posted my five star review of The Design and Implementation of the FreeBSD Operating System. I was excited to see this update of the 1996 classic The Design and Implementation of the 4.4BSD Operating System finally published. From the review: "I have been administering FreeBSD systems for four years, and I read 'The Design' to get a better understanding of the system 'under the hood.' This book is definitely not for beginners, and...

Read More

What is the Ultimate Security Solution?

I received an email asking certain questions about digital security. Since the author said I could post my reply in my Blog, here is an excerpt from his email:"I have read of many ways that hackers obtain access. But, I am uncertain what is comprehensive protection. Clearly, there are firewalls, anti-virus, anti-spyware, IDS, IPS, and many other three letter acronym tools available. I have read of your use/support for Sguil. Do you feel that is the ultimate solution?There are other tools out there like eEye Blink, Pivx Qwikfix, and Securecore...

Read More

Showing the FreeBSD Release Engineering Team is on schedule, FreeBSD 5.3-BETA2 is now available. Relating to my earlier post on GIANT, the announcement states "debug.mpsafenet (multi-processor safe network stack) is still turned off by default for BETA2 but will be turned on for BETA...

Read More

GIANT-free Networking in FreeBSD 6.0 CURRENT and Upcoming 5.3 STABLE

I've been watching Robert Watson's work on removing the GIANT lock from the FreeBSD kernel. This is an aspect of the FreeBSD SMP project (aka SMPng). Robert's posts on 24 Aug 04 and 28 Aug 04 explain what is affected by these developments. The aspects I care about include the following:- Those using KAME IPSec will not be able to disable the GIANT lock, and least not yet.- FAST IPSEC does work with GIANT removed. - The ath (802.11g), bge, dc,...

Read More

My Book on Slashdot

My book made Slashdot. Let's see how well this site and TaoSecurity.com hold up! Thank you to Anton Chuvakin for a positive review.Update: Here's how the Slashdot effect looked to TaoSecurity.com:Here's how the Slashdot effect looked to this Blog:My Barnes and Nobles sales rank has dropped from the 40,000 range to 20 -- I've passed Bill Clinton and Harry Potter. :)My Amazon.com sales rank has dropped from the 20,000 range to 119. Slashdot is...

Read More

Senator Kennedy No-Fly Watch List and IDS "False Positives"

It struck me today that Senator Kennedy's no-fly watch list troubles are very similar to our digital security woes. Recently Kennedy said "he was stopped and questioned at airports on the East Coast five times in March because his name appeared on the government's secret 'no-fly' list." The Washington Post reported "a senior administration official, who spoke on condition he not be identified, said Kennedy was stopped because the name 'T. Kennedy'...

Read More

Fascinating .gov and .mil Docs

Perhaps "fascinating" is too strong a word, but I've come across several intriguing government reports and documents which security professionals might find interesting. First, the CERT/CC and the Secret Service released a joint report titled Insider Threat Study. It's based on "23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002. Organizations affected by insider activity in this sector include credit unions, banks, investment firms, credit bureaus, and other companies whose activities fall within this...

Read More

Helpful Technology Guides for PCI and RAID

If you ever need to deploy sensors to capture traffic in high load environments, you'll need quality NICs on a fast bus and plenty of hard drive storage. I came across guides for each technology that I thought people might like. The first is a .pdf by Digi.com on Peripheral Component Interconnect (PCI). The second guide describes Redundant Arrays of Inexpensive Disks (RAID). If you want to know what sorts of NICs I prefer, I usually try to deploy Intel produc...

Read More

Best Way to Extract a Pcap Session from A Larger Pcap Session?

I was asked today to describe the best way to extract a session from a libpcap file into its own libpcap file. In other words, if I have a large collection of network packets, how can I extract a specific session but keep that information in libpcap format?The answer I proposed relies on (1) identifying the session of interest and (2) telling Tcpdump what to extract. To meet the first goal, consider using a tool like Tcptrace to identify sessions...

Read More

FreeBSD 5.3-BETA1 Released

A significant step has been taken down the road to FreeBSD 5.3. Ken Smith announced the availability of FreeBSD 5.3-BETA1 yesterday. You can download an ISO from one of the mirrors, where the directory for an .iso will look like ftp://ftp10.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/5.3/. I downloaded an burned the disc 1 .iso to CD and installed it on a Dell PowerEdge 750. It seems to be working fine. I did not have to dance fandango...

Read More

Helix Linux Forensic Live CD

You may already know of the FIRE live forensic CD and the Knoppix-STD security tools CD. Last week I attended a free talk by Ed Skoudis, who spoke about his favorite forensic live CD -- Helix, by Drew Fahey of e-fense. I downloaded Helix 1.4 (2004-07-04), burned it to CD, and it started without incident on a Dell PowerEdge 750. The major issues with forensic-minded live CDs is the degree to which they avoid touching the host computer's hard drive...

Read More

Comments on Firewalls, a New Security Magazine, and Wireless Wiretaps

My response to a thread about the differences between "firewalls" and "intrusion prevention systems" (IPSs) seems to have touched a nerve. A message from someone who works for an IPS vendor stated the following: "I know that it is unlikely that I can sway you, but I do not see why the investigative role should preclude the protective role. Aren't you arguing that police should not interfere with the criminals of the world?" I replied: "I didn't mean to imply that 'the investigative role should preclude the protective role.' I support products...

Read More

InfoWorld published two articles of interest to the intrusion detection community this week. Network Detectives Sniff for Snoops is a review of "Internet Security Systems (ISS) Proventia G200, Lancope StealthWatch 4.0, Snort 2.10, and StillSecure Border Guard 4.3." I think they meant "Snort 2.1.0." Already you might suspect I have problems with this first article, which was done at the Naval Postgraduate School in Monterey, CA. My major concerns with product reviews of this sort is their focus on alert-centric intrusion detection at the expense...

Read More

Need Help Proofreading My Book

In preparation for the second printing of The Tao of Network Security Monitoring: Beyond Intrusion Detection, my publisher has tasked me to find typos in the text. So far I've fairly thoroughly checked chapters 1 to 14. If anyone has found typos needing correction in chapters 15-18 and in the epilogue and appendices, I would really appreciate hearing about it. I am making changes to a copy of the book itself and plan to ship it via Priority Mail to my publisher Thursday afternoon. If you have any comments, please email them to taosecurity at...

Read More

Passive Asset Detection System Catalogs Hosts Offering Services

I'm happy to report successful use of Matt Shelton's Passive Asset Detection System (PADS). PADS watchs network traffic and tries to recognize and record services it sees. I was able to compile and run PADS on Red Hat 9.0 and FreeBSD 5.2.1. Here is a sample run with PADS in the foreground. Because I do not specify the network to watch (with the "-n" switch), PADS reports every host offering a service: drury:/$ sudo pads -i fxp0pads - Passive Asset Detection Systemv1.1 - 08/14/04Matt Shelton [-] Processing Existing assets.csv[-] Listening on...

Read More

New Ethereal Release and Documentation

Ethereal 0.10.6 was released last week, and an up-to-date User's Guide (covering 0.10.5) was just published last Sunday. This document is a good alternative to those who can't afford to buy Syngress' Ethereal Packet Sniffing book. The User's Guide is over 200 pages in .pdf form, although a decent chunk of space is wasted for page and section brea...

Read More

McAfee Buys Foundstone

McAfee just announced they bought Foundstone "for $86 million in cash, less various adjustments." The consultant core comprised of my former colleagues "will become part of the McAfee Expert Services team." I spoke with one of them and he doesn't foresee any major changes on the consulting side. He expects to continue doing assessments and other security work.Given the price McAfee paid, McAfee primarily bought Foundstone for its technology and says it "is committed to supporting Foundstone customers and the continued development of the Foundstone...

Read More

Perspectives on "Fed's Web Plan"

Today's New York Post opens with the following scare line: "With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month — a move critics say could open the U.S.'s banking system to cyber threats." Apparently this is not the case. Reading from the Fedline Introduction, we find the following: "FedLine is the Federal Reserve Bank’s proprietary electronic delivery channel for financial institution access to Federal Reserve financial services, and includes DOS-based FedLine and...

Read More

I Told Oprah and Dr Phil to Watch Out...

My Amazon.com book rank has been all over the map -- as high as 2.2 million and as low as 1,011. BestBookBuys.com lists my book at #85 in their Top 100 Sellers. I think this means I am kicking some Oprah and Dr. Phil butt like I promised. Bill Clinton's book is safe at #11... for now. :) Bookpool is now the most trustworthy online vendor selling the book at a steep discount. You can get the book for $27.25 plus shipping. Amazon.com shows no sign of discounting their price, although my publisher has VP-level people working to fix Amazon's...

Read More

RSS Feeds, Bmonday Comments, and Airpwn

Thanks to an email from Jim O'Gorman, I learned of a way to publish a RSS feed, even though Blogger only supports Atom. Try feeding this to your RSS reader. I've been using the Firefox plug-in Sage since Chris Reining's Blog told me about it. Sage supports RSS and Atom in a Firefox sidebar. Speaking of reading other people's Blogs, I was happy to see positive feedback on my book at Bmonday.com. My thoughts on logging packets allowed through...

Read More

Snort 2.2.0 Released

Brian just announced the release of Snort 2.2.0 You can look at the main Snort page or the ChangeLog for word on improvements and fixes. Combined with the changes for 2.2.0 RC1, this 2.2.0 release looks impressive. I will shortly update my Sguil installation guide using Sguil 0.5.2, Snort 2.2.0, and the appropriate supporting softwa...

Read More

New Sguil and Metasploit ReleasesBamm just released Sguil 0.5.1. This is a lot more than a bug fix release. There are some cool new features in Sguil 0.5.1, like enhanced reporting options, regular expressing matching for the autocat function, and searching packet payloads in the client. I will update my installation guide soon, probably by next week. The only major installation issue involves a change in directory structures to support multiple...

Read More

Net Optics Press Release on Book and USENIX Class

I'm a big fan of taps made by Net Optics, especially after reading advice from other manufacturers. Because I featured Net Optics taps in chapter 3 of my book, and brought one for my class network at USENIX, Net Optics published a press release on the two events today. I'd like to thank Net Optics for supporting my tap research and for giving expert advice on chapter 3. On a related note, I came across this 1996 thread discussing early tap u...

Read More

Dru Likes My Book and Good BSD News

While visiting BSDNews.com I read Dru Lavigne's latest musings. She has some kind words on my book:"So far, I'm really enjoying the book and appreciate Richard's logical, thorough approach and the plethora of useful URLs to additional references interspersed on nearly every page. His discussion on 'accessing traffic in each zone' is very practical and definitely written by someone who has "been there done that". And within the first 100 pages I've already come across undocumented or poorly documented BSD commands which Richard explains in detail.My...

Read More

Protecting Web Surfing from Prying Wireless Eyes

Well here I am at USENIX Security 2004, on the Town and Country Hotel's wireless network. I received an authorization code from the concierge, and no other instructions. This code wasn't a SSID since the guy after me received a different code. When I got to my hotel room, I fired up dstumbler to see what networks were available. dstumbler wi0 -o I found several LodgeNet access points, so I figured I'd try associating with those: ifconfig wi0 ssid LodgeNet upThis got me associated: ifconfig wi0wi0: flags=8843 mtu 1500 ether 00:04:e2:29:3b:ba...

Read More

Romanian Hacker and Friends Indicted

A friend and former Foundstone colleague informed me of the indictment of a Romanian (Calin Mateias, 24, of Bucharest) and five Americans for conspiring to steal more than $10 million US in computer equipment from Ingram Micro of Santa Ana, California. I worked this case two years ago as a Foundstone consultant and helped detect and remove the intruder's X-based back doors from Ingram Micro systems.I commend Ingram Micro for publicly pursuing these intruders in court. This is one of the best ways to encourage other companies to go forward with...

Read More

Hints on Using Oinkmaster and Sguil

I released an updated Sguil Installation Guide today that shows how to replace the Snort stream4 keepstats-based session data collection system with John Curry's SANCP code. SANCP is a better option than stream4, as SANCP tracks not only TCP like stream4 but also UDP and ICMP. The flows are also easier to work with, since they tend to occupy single entries. I've also been experimenting with the best way to use Oinkmaster with my preferred directory layouts. When Oinkmaster runs, it works in the directory specified. For example: perl ./oinkmaster.pl...

Read More

Security Threat Profile in 2600 Magazine

2600 Magazine isn't the magazine I recommend to learn security tools and techniques, but the Summer 2004 issue has one article which justifies spending $5.50 to buy the whole issue. "A Guide to Internet Piracy" is a 4-page introduction to the "warez scene." The author, b-bstf, describes the piracy "food chain," from top to bottom:- Warez/release groups: people who release warez to the warez community; often linked to the site traders- Site traders: people who trade the releases from the above groups on fast servers- FXP board users: script kiddies...

Read More

Review of Defend IT Posted

Amazon.com just posted my four star review of Defend IT. From the review: "I commend ch 2 ('Home Architecture') for insights I find lacking in most books on intrusion detection or incident response. The authors astutely state on p. 26 and 33: 'this incident was not discovered by flashing lights and alerts set off by an IDS... In fact, there was no early indication of a network compromise.' This explains the authors' next recommendation: 'It is a...

Read More